FBI Solves Case Thanks to PureVPN Lies

News has emerged this week that proves PureVPN is lying to consumers about how it keeps logs. The story serves as an urgent reminder that great care must be taken to select a credible Virtual Private Network (VPN) service.

The story surrounds the case of a cyberstalker from Newton, Massachusetts. Ryan Lin, 24, is accused of cyberbullying, harassing, and regularly hacking multiple accounts belonging to a 24-year-old woman referred to in the case as Jennifer Smith (not the victim’s real name).

Disgusting Harassment

The nauseating list of crimes includes accessing Apple iCloud to steal the victim’s personal photos and then later create a collage of Smith alongside random explicit photos. After finishing the vile creation, Mr Lin went on to disseminate it via email to a number of Smith’s friends and contacts (including one minor). The emails were spoofed to make them seem like they came from Smith herself.

As if that wasn’t enough, the accused went on to send excerpts from Smith’s private journal to several of her contacts. Those highly personal journal entries contained details about her psychological, medical, and sexual history.

Mr Lin also started accounts with adult online services in Smith’s name. Using those falsified accounts, Mr Lin searched for people wishing to engage in extreme sexual fantasies such as BDSM, gangbang, and rape. At least three people came to Miss Smith’s abode looking for her in response to those fake solicitations.

The full list of abusive exploitations carried out by Mr Lin is horrific, degrading, and damned right deplorable. The harassment caused Smith to move out of her home. According to the affidavit, the abusive campaign continued long after that time.

Digital Fingerprints

Local police attempted to follow up on Miss Smith’s complaints and allegations for nearly a year. Unfortunately for the police, Mr Lin was using a combination of Protonmail, Tor, and VPN services to cover his steps and conceal his identity. For this reason, local police decided to call in the FBI to help solve the case.

After recovering a computer from Lin’s former employer, the FBI was able to uncover a number of digital artifacts that allowed them to form a case for the prosecution. These included traces of data that showed that Lin had been using PureVPN. With the knowledge that Lin had used PureVPN, the FBI decided to approach the VPN firm for information.

In its privacy policy, PureVPN claims only to keep connection logs:

So, how was PureVPN able to reveal that Mr Lin’s VPN IP address had logged into his Gmail address, along with another Gmail address used to harass Smith? How was PureVPN able to confirm that Lin used a Rover.com account to discover Smith's real phone number? Finally, how was PureVPN able to link criminal activity to Lin's home and work IP addresses?

The answer to this question is actually quite simple. It was achieved using a time correlation attack. What the privacy policy fails to mention, is that when PureVPN logs a connection time to one of its servers, it also stores the VPN user’s home IP address. As such, PureVPN wasn’t actually able to inform the FBI about what Lin had used the VPN for - the FBI had gained this information beforehand.

Here is how it unfolded:

The FBI got suspected IP addresses from Gmail and Rover.com. Those IP addresses were confirmed to belong to PureVPN. The FBI then approached PureVPN to tell them which VPN IP addresses were suspected in these crimes - as well as Lin’s real IP address.

At that point, PureVPN was able to check to see if Lin’s home address had logged on to the suspected VPN IP addresses just before the times given to the FBI by Gmail and Rover.com. The VPN connection time stamps instantly revealed that Mr Lin’s real IP address had indeed used the VPN at those times.

Awkward Position

On this occasion, the authorities, the victim - and society as a whole - can feel thankful that not only was Mr Lin using a VPN known to be particularly useless for guarding people’s privacy, but also for PureVPN’s willingness to help with the FBI’s investigation.

Anyone with even a semblance of empathy for the victim will be glad that Mr Lin has been caught. Personally, I hope that Mr Lin is punished with the entire weight of the criminal justice system.

A VPN for Privacy

Despite my relief that Lin will be prosecuted, I am left in the somewhat awkward position of having to explain why consumers should avoid using lousy VPNs if they truly care about their digital privacy.

Privacy tools such as VPNs are just that: tools. The best analogy I can think of for comparison is that of a getaway car. Criminals can make use of a car to make their getaway after robbing a bank. Does that make cars (and those who use them) inherently evil? Of course not. At the end of the day, most tools can be used for good or bad ends. VPN services are no different.

Privacy is a fundamental human right that must be defended at all costs. Especially nowadays, when overreaching governments and their agencies invade the digital privacy of their electorate en masse.

The majority of citizens don't deserve to be stripped of their right to privacy because of the repulsive actions of a minority. VPNs give people the power and ability to stop Internet Service Providers (ISPs) and governments from overstepping an important boundary. Without VPNs (and encryption in general), private communication is vulnerable to attack. And if it can be attacked by one party, it can be attacked by another.

PureVPN - What This Case Tells Us

PureVPN is already on the ProPrivacy.com radar as a provider that doesn't provide a secure service. Domain Name System (DNS) leaks are common and the privacy policy explains that connection logs will be kept by the VPN provider. It is for this reason that PureVPN is specifically flagged up in its review as being especially bad for privacy.

This case, however, is the first time that concrete evidence has emerged that proves PureVPN is keeping more detailed logs about its subscribers than it claims. In addition, the case serves to reinforce that any VPN that keeps connection time stamps - alongside customer IP addresses - can never be considered private (a point that we always make when reviewing VPN providers). While on this occasion we may feel like celebrating that fact that the perpetrator will face justice, there can be no doubt that this event puts a big black mark next to PureVPN’s already disreputable name.

This VPN lies about having DNS leak protection and lies about the way that it keeps connection logs. I wouldn’t be surprised if it also lied about the level of encryption that it is providing. Our reviewer was unable to get encryption implementation details from the VPN’s technical team: a sure sign that the encryption is weak.

If you care about your digital footprint, the message is loud and clear: PureVPN (and other VPNs that keep timestamps with IP addresses) should be avoided at all costs. Why? Because if PureVPN is willing to help the US government, one has to ask the question: What is stopping it from helping more unsavory political regimes from mounting similar time correlation attacks to link VPN users to censored or banned content, which could get them in trouble?

Digital privacy expert with 4+ years experience testing and reviewing VPNs. He's been quoted in The Express, Barrons, the Scottish Herald, ThreatPost, CNET & many more. Ray is currently rated number 1 VPN authority by Agilience.com.

26 Comments

Jim

What I don't understand is why PureVPN complied with the FBI at all. The US has no judicial authority over Hong Kong, so why didn't PureVPN just tell the FBI they were unable to assist with their inquiry?

Douglas Crawford replied to Jim

Hi Jim, Well, it does seem that Mr Lin is a terrible human being. So my guess is that they thought they were doing the "right thing." Problem is, based on what is loudly proclaimed on PureVPNs website, they should never have been able to...

Douglas Crawford replied to James

Hi James, Al of our reviews should include a section that goes into great detail about what logs a company says it keeps. If this information is not available via their websites and/or privacy policies, we check. It is true that some older reviews and reviews by authors who are still learning the ropes may not be as thorough as our current standards demand, but these should be the exception, and should be phased out over time.

Kodi

One can't trust any VPN provider that's US based. I don't even think PureVPN was US based which makes this even more troubling. That's why people should stay away from inexpensive VPN providers like HMA, PIA, and IPVanish.

Silka

Does expressvpn keep logs of its users ? They even ask your email address before you ask something from their customer service ? I use them and getting clear picture of what they keep and what they don’t will help

Douglas Crawford replied to Silka

Hi Silka, Please check out our ExpressVPN Review for full details. TL:DR version: ExpressVPN collects some some minimal aggregated metadata, but it does not log IPs or a timestamps. Without IPs and timestamps, there is little to no privacy risk to users, and the kind of attack used against this PureVPN customer would be impossible.